Fuel Master access control improvements
https://blueprints.launchpad.net/fuel/+spec/access-control-master-node-improvments
In 5.1 release cycle Fuel Master node access control was introduced.
In next release, some configuration tuning is required to make it easier
to use and upgrade.
Problem description
With current implementation we have following problems:
- Each request is validated by middleware using keystone admin token.
This method is deprecated.
- If user changes his password it is not possible to run upgrade.
- Outdated tokens are not cleaned which in long term
may lead to run out of space.
- No cookies support so some GET requests from UI can not be validated.
- After login password is stored in browser cache.
Proposed change
- Create users nailgun and ostf with admin roles which will be used
to authenticate requests in middleware. Both will be added to new
services tenant.
- Passwords will be generated by fuelmenu for fresh install and by upgrade
script in case of upgrade.
- During upgrade there will be puppet run for keystone that will add new
project and users.
- Ask user for password before upgrade.
- Create cron script which runs in keystone container and deletes outdated
tokens using keystone-manage token_flush command.
Script will be run once per day.
- Add support for cookies, which also will allow to test API from browser.
- Increase token expiration time to 24h, so it will not be necessary to
store password in browser cache.
- Add two services to keystone: nailgun and ostf, toghether with endpoints
pointing to its urls to enable service discovery instead of hardcoded urls.
- Use keystonemiddleware insted of deprecated keystoneclinet.middleware.
Data model impact
There will be two new users, two new services and two new endpoints
in keystone database.
Upgrade impact
During the upgrade user will be asked to give an admin user password.
Security impact
Using service user instead of admin_token to verify is safer.
Notifications impact
None
Other end user impact
None
Other deployer impact
None
Developer impact
When cookies support is added developer will be able to test API from browser.
Implementation
Work Items
Must have items:
- Create new users during fresh install and during upgrade.
- Ask for admin user password before upgrade.
- Remove usage of admin_token in Fuel.
Rest of the items can be done later and can be done separately.
Testing
All tests from previous blueprint should still apply here.
System tests may require changes to pass the password to the upgrade
script.
Documentation Impact
Documentation describing internal architecture should be created.
It should contain examples how to use curl with API.